Senators bewildered by Equifax contract with IRS after hack

Senators bewildered by Equifax contract with IRS after hack. Maggie Rulli reports during Action News at 5:30 p.m. on October 4, 2017. (WPVI)

By KEVIN FREKING Associated Press

Wednesday, October 04, 2017

WASHINGTON --

Members of Congress expressed bewilderment Wednesday that credit reporting company Equifax, under siege after a data breach affecting more than 145 million people, has received a $7.25 million contract with the IRS to validate the identity of taxpayers communicating with the agency on the telephone or through its website.

The contract was the source of consternation in House and Senate hearings. Leaders of the Senate Finance Committee also demanded answers to a series of questions they submitted to the agency's commissioner.

"Why in the world should you get a no-bid contract right now?" Sen. Ben Sasse, R-Neb., asked former Equifax CEO Richard Smith at a Senate Banking, Housing and Urban Affairs Committee hearing in the morning.

Sasse's indignation was soon topped by Sen. John Kennedy, R-La., who said, "You realize, to many Americans right now, that looks like we're giving Lindsay Lohan the keys to the mini-bar."

"I understand your point," Smith said in response to Kennedy's observation, a reference to the actress who has struggled with drugs and alcohol.

Smith testified at the second of four congressional hearings this week in which lawmakers demanded to know how the breach happened and what the company was doing to make things right for consumers. Hackers stole Social Security numbers, birth dates and addresses, and in some instances driver's license numbers.

Smith said he didn't know many details about the contract, but he explained that it was for work Equifax has done in the past for the IRS, and he thought the contract was being renewed. He also said he believed the contract was "to prevent fraudulent access to the IRS."

Sen. Heidi Heitkamp, D-N.D., said Equifax forced the IRS to renew the contract because it issued a protest contesting the awarding of the work to another bidder. She called on Smith to tell the IRS that it's fine to take the contract somewhere else.

The IRS issued a statement seeking to allay concerns about the security of taxpayer information. It said Equifax advised the agency that no IRS data was involved in the breach. The statement confirmed that the renewal was awarded to Equifax to prevent a lapse in service.

"Following an internal review and an on-site visit with Equifax, the IRS believes the service Equifax provided does not pose a risk to IRS data or systems," the statement read.

An IRS document justifying the award said that the verification information is necessary to prevent tax fraud. Also, taxpayers would have more difficulties obtaining the information they need to file their taxes in a timely fashion if the verification services were allowed to lapse.

The document also said the contract only covers the timeframe needed to resolve Equifax's protest.

Smith was Equifax's CEO for a dozen years. He resigned after the breach was announced. No current Equifax employees testified at the hearing. Lawmakers accused Equifax of being too lax about securing consumer data, noting that there had been previous breaches over the past four years.

Ohio Sen. Sherrod Brown, the committee's top Democrat, said consumers should have expected their most private information would have state-of-the-art protections.

"A gold mine for hackers should be a digital Fort Knox when it comes to security," Brown said.

Sen. Elizabeth Warren, D-Mass., said Equifax didn't have enough incentive to ensure consumer data was secure. She said the breach means consumers will spend the rest of their lives worrying about identity theft and businesses will lose money to thieves, but the company itself will come out of the crisis just fine.

Warren has called for changes in how credit reporting agencies operate. She said consumers should decide who gets their financial data, not companies such as Equifax. She is also calling for stiffer penalties when breaches do occur.

"When companies like Equifax mess up, senior executives like you should be held personally accountable and the company should pay mandatory and severe financial penalties for every consumer record that's stolen," Warren said.

"We've got to change this industry before more consumers get hurt," she said.

Smith told the lawmakers that credit reporting companies like Equifax provide a valuable service that allows consumers to get access to credit.

"We're a vital part to the global economy," Smith said.

Smith said he agreed that consumers should be able to determine who gets access to their information and that the company was unveiling a new product in January that would allow customers while online to lock and unlock their credit reports any time they wanted. He encouraged competing credit reporting companies to offer the service to all consumers on one website.